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2. System Information 



(a) Date PIA was completed: 07/03/2012 

(b) Name of system: Contact Management Database 

(c) System acronym: CMD 

(d) IT Asset Baseline (ITAB) number: pending 

(e) System description (Briefly describe scope, purpose, and major functions): 

The Contact Management Database (CMD) application is currently owned and 
administered by the European Bureau and is being used at over 180 posts worldwide for 
managing contacts and events. It provides a single interface to provide (but not limited 
to) the following major functionality: 

• Managing Persons' Records 

• Managing Events 

• Managing Participants (persons invited to an Event) 

• Managing Event Seating 

• Official Person/Guest Lists 

• Managing Incoming Invitations from outside sources 

• Managing Appointments with non-Dos contacts 

• Managing Gratuities 
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• Managing Sponsors 

• Creating Labels/Envelopes 

• Merge letters/Invitation cards (mass mailing) 

• Custom reports (individual inquiries) 

• E-mail option 

• Statistics 



(f) Reason for performing PIA: 

[X] New system 

□ Significant modification to an existing system 

□ To update existing PIA for a triennial security re-certification 

(g) Explanation of modification (if applicable): 

(h) Date of previous PIA (if applicable): 

3. Characterization of the Information 

The system: 

□ does NOT contain Pll. If this is the case, you must only complete Section 13. 
[XI does contain Pll. If this is the case, you must complete the entire template. 

a. What elements of Pll are collected and maintained by the system? What are 
the sources of the information? 

CMD has the possibility to collect both official and private data on contacts of the U.S. 
government in its missions overseas. This data includes official data such as: last 
name, first name, maiden name, sex, date of birth, titles, marital status, office address, 
office telephone, office email, office fax, profession, rank and interests. It also includes 
private information (that is restricted based on user privileges) such as: partner name, 
sex, date of birth, maiden name, profession, titles, home address, home telephone, 
private email, passport number, ID number and dietary restrictions. 

Contacts that are not U.S. persons (that is, U.S. citizens or legal permanent residents) 
are not covered by the provisions of the Privacy Act or the E-Government Act of 2002. 

The source of this information comes from various sources. It can come from, but is not 
limited to, business cards, official websites, the contacts themselves, administrative 
assistants and publications. Private data is collected from the Contact. 

b. How is the information collected? 

Information is collected in a variety of ways. This could be through collection of 
business cards, direct contact with the person or over telephone, gathering contact data 
from the person's business or private website or even through the contacts submitting a 
contact card. The application itself does not have the capability to request data from 
contacts. 
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c. Why is the information collected and maintained? 

Information is collected and maintained to enable Posts to meet their outreach and event 
goals and other functionality such as RSO access lists. Public affairs requires, for 
example, interests of the contacts to be collected to better prepare outreaches or for 
reaching the appropriate contacts while Protocol requires data such as institutional data. 

d. How will the information be checked for accuracy? 

Each post and section is responsible for their data. Standard operating procedures are 
recommended to be in place to insure that the data is maintained and accurate. The 
application also has a data field titled "last verified" that helps sections track when 
contacts were last verified for accuracy. 

e. What specific legal authorities, arrangements, and/or agreements define the 
collection of information? 

22 U.S.C. 2621-2625 

f. Privacy Impact Analysis: Given the amount and type of data collected, 
discuss the privacy risks identified and how they were mitigated. 

The information collected on record subjects in CMD is necessary to fulfill the obligations 
of CMD. The application allows large amounts of data to be collected from contacts, but 
it also has security measures built in to limit who can see what information is accessible. 
Official data is viewable by all users (official data is considered to be public) while private 
data is restricted to users with elevated privileges for the section that person is assigned 
to. For example, consular users with elevated rights can see private information of 
Consular contacts, but not private information for other sections such as PA or EXEC. 
This user level security, along with single sign-in functionality, insures that data is 
secured properly. This application is located in the OpenNet-i- system only with no 
access to outside data sources. 

4. Uses of the Information 

a. Describe all uses of the information. 

The uses of the information collected in CMD are event planning, organizing outreaches, 
assisting in creating mailing lists for publications, tracking incoming invitations and 
appointments, tracking gratuities that are received or sent, managing event sponsors, 
checking in contacts to an event they attend, and planning for proper meals, catering, 
and seating charts. 

b. What types of methods are used to analyze the data? What new 
information may be produced? 

This application has a strong filter tool integrated into it which allows for custom reports 
to be created based on the user's needs. There are no built-in standard reports; 
instead, the application allows that the filtered data be exported in Word or Excel 
standard format. These filters are used to display existing information and create lists 
accordingly; for example, filtering all those attending an event who have dietary 
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restrictions for catering planning. But theoretically it would be possible to create 
statistical data based off the filters (such as percentage of people in the database that 
are married, etc). 

c. If the system uses commercial information, publicly available information, or 
information from other Federal agency databases, explain how it is used. 

If commercial or public information is used, then it is used to fill the official data within 
application. This application does not share data with other federal databases. 

d. Is the system a contractor used and owned system? 

No, the U.S. Government owns this application and all source code. It was programmed 
by a contractor, but the main users are DoS employees. 

e. Privacy Impact Analysis: Describe the types of controls that may be in place 
to ensure that information is handled in accordance with the above uses. 

User access to information is restricted according to job responsibilities and requires 
managerial level approvals to get elevated access. Access control lists permit categories 
of information to be restricted such as private information. Users are required to have 
completed the annual Cyber Security Awareness training which covers the handling of 
Pll. 



5. Retention 



a. How long is information retained? 



Records are retained based off the retention schedules chapters and their subchapters 
(for specific retention maximums for each category, check out the schedules here: 
http://infoaccess.state.gov/recordsmgt/recdispsched.asp) : 

Domestic: 

• 03: Records Common to Most Organizational Areas 

• 16: Public Diplomacy 

• 26: Protocol Records 
Foreign: 

• 02: Records Common to Most Organizational Areas 

• 15: Freedom of Information and Privacy Act Records 

• 16: Public Diplomacy 



b. Privacy Impact Analysis: Discuss the risks associated with the duration that 
data is retained and how those risks are mitigated. 

All CMD records are stored on OpenNet SQL servers that are protected using security 
groups and DoS security settings. Only those with access to the database application 
(password protection and single sign-in) can view these records. Records that are no 



CMD PIA 



4 



August 2012 



longer active and need to be retired are archived within the application which means 
they are no longer searchable by users. Following approved record schedules and 
retiring and archiving those records regularly ensures that they are not kept past their 
date of usefulness. 

6. Internal Sharing and Disclosure 

a. With which internal organizations is the information shared? What 
information is shared? For what purpose is the information shared? 

CMD is designed to be a post- or mission-wide shared contact application with the 
possibility to have all organizations at post or in the mission sharing this database. 
Official data is viewable by all users of CMD with the private data being restricted to the 
users with elevated privileges to whom those contacts belong; this is done using user 
level security permissions. This insures that only the information is being shared that is 
already public or official. 

b. How is the information transmitted or disclosed? What safeguards are in 
place for each sharing arrangement? 

Since this is a collective database, official data is always available for the selected users 
of this database. Again, the private information is secured using user level security 
permissions built into the application. All information is shared by secure network 
transmission methods permitted under Department policy for the handling and 
transmission of SBU information. 

c. Privacy Impact Analysis: Describe risks to privacy from internal sharing and 
disclosure and describe how the risks are mitigated. 

The risks of a shared application like CMD is that users have access to a complete list of 
all the names of the contacts in the application, though only the official data is available 
to all users. The risks are migrated by the applications built in user level security which 
separates private from official data. 

7. External Sharing and Disclosure 

a. With which external organizations is the information shared? What 
information is shared? For what purpose is the information shared? 

No information is shared with external organizations. This is a DoS internal application 
only. 

b. How is the information shared outside the Department? What safeguards are 
in place for each sharing arrangement? 

No information is shared outside of the Department. 

c. Privacy Impact Analysis: Describe risks to privacy from external sharing and 
disclosure and describe how the risks are mitigated. 

Not applicable, since no sharing of information is done outside the Department. 
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8. Notice 



The system: 

K| contains information covered by the Privacy Act. 

Provide number and name of each applicable systems of records. 
• Protocol Records, State-33 

D does NOT contain information covered by the Privacy Act. 

a. Is notice provided to the individual prior to collection of their information? 

The type of collection in CMD is covered by the SORN, State-33 (Protocol Records). 
Additionally, each section throughout the Department that uses CMD to collect data is 
responsible for providing notice as the collection requires. This may take the form of 
written or oral notice. 

b. Do individuals have the opportunity and/or right to decline to provide 
information? 

Yes. Most information collected for use in this application is from official sources, 
business cards or voluntary information request forms. If an individual does not want to 
provide information they do not have to. 

c. Do individuals have the right to consent to limited, special, and/or specific 
uses of the information? If so, how does the individual exercise the right? 

These opportunities are normally not available in CMD as the data used in the 
application is not shared with outside sources. The individual does have the right to 
specify how he/she would like to be contacted if he/she volunteers his/her information: at 
home, at the office or per email. 

d. Privacy Impact Analysis: Describe how notice is provided to individuals and 
how the risks associated with individuals being unaware of the collection are 
mitigated. 

The information collected is either from a public source or voluntarily submitted by the 
individual for contact purposes. The voluntary forms that are submitted are normally 
clearly marked for what purpose the information is collected, i.e. mailing list, receiving 
publications, receiving event notifications and other standard public affairs or protocol 
needs. The SORN mentioned above, State-33, alerts the public as to the type of 
collection of Pll in CMD. 

9. Notification and Redress 

a. What are the procedures to allow individuals to gain access to their 
information and to amend information they believe to be incorrect? 

No individual may gain access directly to their information in the application due to 
security regulations. If requested, the section that maintains that individual record may 
release parts of the individual's record to that individual as required by the Privacy Act; 
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no information is released to third parties. Individuals may voluntarily make changes in 
their contact information, thereby amending the information in the application. 

• Procedures for notification and redress are published in the system of records State-33, 
Protocol Records. 

b. Privacy Impact Analysis: Discuss the privacy risks associated with 
notification and redress and how those risks are mitigated. 

The notification and redress mechanisms offered to individuals are reasonable and 
adequate in relation to the system's purpose and uses. 

10. Controls on Access 

a. What procedures are in place to determine which users may access the 
system and the extent of their access? What monitoring, recording, and 
auditing safeguards are in place to prevent misuse of data? 

Access to the Contact Management Database is limited to authorized personnel who 
require access for their official duties. This application is found on the OpenNet network, 
and a user account is required to access this application as single sign on using the DoS 
account name. This requires that the user is added to a special "Contact Access" 
domain group and also be added by hand to a user list located within the application. 
The folder where the application is located is also protected, and access is only 
authorized again for those who have application access. The application has built in 
user level security where specific privileges can be set to limit what each user may 
access and view. The application itself has a built in log that tracks when and what 
changes are made; this log can be used for administrative purposes of monitoring and 
auditing. 

b. What privacy orientation or training for the system is provided authorized 
users? 

All users are required to undergo computer security and privacy awareness training prior 
to being given access to the system and must complete refresher training yearly in order 
to retain access. Additionally, all Federal employees are required to take the course 
entitled PA-459, Protecting Personally Identifiable Information. 

c. Privacy Impact Analysis: Given the sensitivity of Pll in the system, manner of 
use, and established access safeguards, describe the expected residual risk 
related to access. 

Access controls are in place to protect the information within CMD. The system is 
protected by the controls inherent in OpenNet. The special "contact access" domain 
group keeps track of users, and the activities of users are logged. Additionally, users 
are provided with computer security and privacy training. Any residual risk is expected 
to be minimal as a result of the controls in place. 

11. Technologies 

a. What technologies are used in the system that involve privacy risk? 
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This application is a relational database solution based off of SQL Server technologies. 

b. Privacy Impact Analysis: Describe how any technologies used may cause 
privacy risk, and describe the safeguards implemented to mitigate the risk. 

There are no privacy risks associated with this application and technology as this 
application does not share data or connect to other data sources. SQL Database 
authorization and application security mitigate potential risks. 

12. Security 

What is the security certification and accreditation (C&A) status of the system? 

This is a low impact application and there is currently no C&A required. 

13. Certifying Officials' Signatures 

Mark VandenBos 

System Owner 

Brian Hering 

Program Manager 



Information Security Manager 

Email the completed PI A in MSWord format to "PI A Team". Upon signing, please 
send this signature page to the same group email box in the form of a scanned 
PDF, or send as paper via interoffice mail to "A/GIS/IPS/PRV". 



TO BE COMPLETED BY A/GIS/IPS/PRV 

Reviewer: Approver: 
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